Firebox as DNS server/forwarder

Not sure if I"m not configured correctly or not, but is there any way currently [or maybe this is a feature request?] to configure the firebox as the primary DNS for DHCP clients, but still get the DHCP server to register client lease names with another DNS server to allow client DNS names to be registered with an internal DNS server(s). From what I can tell, there is not option for this and since most clients will only register DNS with the FIRST DNS server on their list, no clients will appear registered in DNS if the primary DNS server used is the firewall.

As I see it now, my choice is either to use the firebox as DNS server and lose the ability for name resolution for devices on the network, or point the clients to our internal DNS server which might be across a VPN link and not ideal in most cases when the firebox has this nice DNS forwarding feature capability.

I"m hoping I"m just missing something and there is a way to register that DNS information with an internal DNS server (which if there isn't, this is a feature request and it should have the ability to assign a username account for updating so that we can continue to use secure DNS updates too).

Comments

  • Well, I thought I knew the answer until I read "...most clients will only register DNS with the FIRST DNS server on their list, no clients will appear registered in DNS if the primary DNS server used is the firewall."

    However, I am wondering if conditional forwarding in the Firebox would pass the packets to the internal DNS server in a manner that still would allow them to register with the internal DNS server.

    I think I know what I will be doing this weekend...Testing!

    Gregg Hill

  • @Bruce_Briggs - that is exactly what I'm trying to use, but as I said, it appears that my choice is that if I use it, I lose client DNS name updates for our internal DNS servers.
    @GreggHill - I"m going to retry now with my guest network which updates quickly to see if my recent changes pass those names back to the internal DNS servers, but I highly doubt it will. I know when I posted this originally, using the firewall as the client DNS did not work (even with a local DNS as a secondary DNS).

    I guess while we are at it, the DHCP service also doesn't update internal DNS servers either which is why I don't use those either. Name resolution isn't critical on guest/user networks, but it is for anything with devices/servers attached.

  • Andrew,

    I always do LAN DHCP on my Windows server if it's an Active Directory domain for the reason you mentioned.

    I remember when I tried DNSWatch, there was something about using the Network > WINS/DNS page, putting the LAN AD server's IP address as the first DNS server, then whatever external DNS one wants as the second/third.

    I stopped using DNSWatch when my biggest client lost all Internet access due to DNSWatch being down, and I have not had the guts to re-enable it.

    Gregg Hill

  • yea... not using DNSWatch, just trying to use the firebox as the primary DNS server and take advantage of DNS forwarding for the internal domains. The biggest driver is for the remote sites since it doesn't make sense to send the DNS query back through the VPN for things like google.com.

    I think dynamic DNS registration is working with the DNS server security settings set to allow unsecured updates :/ In the meantime, I see all the iPhone.domain.com duplicate names in DHCP and it appears they each overwrite the DNS records. Thanks apple! At least android appears to append the mac address to their default names to keep them unique.

    I haven't gotten the remote clients to show on the DNS servers yet, but I need to check some other settings to see why as it at least appears to work (unsecured) locally.

    Feature request: add option to provide credentials to allow for secure updates to DNS servers ;)

  • Note that XTM is just a DNS forwarder, not a true DNS server

  • I get that it isn't a DNS server and just a forwarder. I haven't had a chance to try and dig into the inter-VPN links, but it does appear to at least forward the registration requests locally. That is pretty good. It would be even nicer it it would allow for that to be done in a secure manner, but in this case it isn't critical.

Sign In to comment.